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METHOD AND SYSTEM FOR DYNAMICALLY DISTRIBUTING 
UPDATES IN A NETWORK 

TECHNICAL FIELD OF THE INVENTION 

This invention relates generally to computer 
networking, and more particularly to a method and system 
for dynamically distributing updates in a network. 
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BACKGROUND OF THE INVENTION 

Computer networks have become an increasingly 
important means for communicating public and private 
information between and within distributed locations. The 
5 Internet is one example of a public network commonly used 

for communicating public and private information. Internet 
web servers provide access to public information, such as 
news, business information, and government information, 
which the Internet makes readily available around the 

10 world. The Internet is also becoming a popular forum for 

business transactions, including securities transactions 
and sales of goods and services. A large number of people 
have come to depend upon reliable Internet access and 
secure communications on a day-by-day and even second-by- 

15 second basis. Like the Internet, private networks also 

have become common means for communicating important 
information. Private networks, such as company intranets, 
local area networks (LANs) , and wide area networks (WANs) 
generally limit access on a user-by-user basis and 

20 communicate data over dedicated lines or by controlling 

access through passwords, encryption, or other security 
measures . 

One danger to reliable and secure network 
communications is posed by hackers or other unauthorized 

25 users disrupting or interfering with network resources. 

The danger posed by unauthorized access to computer network 
resources can vary from simple embarrassment to substantial 
financial losses. For example, serious financial 

disruptions occur when hackers obtain financial account 

30 information or credit card information and use that 

information to misappropriate funds. 

Typically, network administrators use various levels 
of security measures to protect the network against 
unauthorized use. Intrusion detection systems are commonly 

35 used to detect and identify unauthorized use of a computer 
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network before the network resources and information are 
substantially disrupted or violated. In general, intrusion 
detection systems look for specific patterns in network 
traffic, known as intrusion signatures to detect malicious 
5 activity. Conventional intrusion detection systems often 

use finite state machines, simple pattern matching, or 
specialized algorithms to identify intrusion signatures in 
network traffic. Detected intrusion signatures are 
reported to network administration. 

10 A problem with conventional intrusion detection 

systems is that when a new vulnerability, or type of attack 
on the network, is discovered, a new intrusion signature 
must be generated and installed for each intrusion 
detection system. As a result, unless a network 

15 administrator frequently checks for new signatures 

developed by an intrusion detection provider and installs 
the new signatures for each sensor in his or her system, 
the system will remain vulnerable to the new types of 
attack. Because new types of attacks appear more 

20 frequently than network administrators typically check with 

an intrusion detection provider for new signatures, 
networks often remain vulnerable to new types of attacks 
even though new signatures are available to identify and 
prevent such attacks . 
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SUMMARY OF THE INVENTION 

The present invention provides a method and system for 
dynamically distributing intrusion detection and other 
types of updates in a network that substantially eliminate 
5 or reduce disadvantages and problems associated with prior 

methods and systems. In particular, the present invention 
automatically downloads updates from a remote site in 
response to a timed event. 

In accordance with one embodiment of the present 

10 invention, a first version of a program operating at a 

network site is updated by automatically downloading from 
a remote site any update for the program in response to an 
automated event. A downloaded update is installed to 
generate a second version of the program. The second 

15 version of the program is operated at the network site in 

place of the first version. 

More particularly, in accordance with a particular 
embodiment of the present invention, the automated event is 
a timed event. In this embodiment, the first version of 

2 0 the program is aged and the timed event is the first 

version reaching a specified age. The specified age may be 
24 hours or other suitable age. In other embodiments, the 
timed event may be a specified time such that any updates 
are automatically downloaded once a day, once a week, or at 

25 other suitable frequency. 

After installation of a downloaded update, it may be 
determined whether the second version of the program is 
operating correctly. In response to incorrect operation of 
the second version, the first version of the program may be 

30 restored for operation at the network site. In response to 

correct operation of the second version, the downloaded 
update may be distributed to disparate network sites 
operating the first version of the program. There, the 
downloaded update may be installed to generate the second 

35 version of the program at the disparate network sites. The 



Docket No. 062891.0240 



PATENT 



second version of the program is operated in the place of 
the first version at the disparate network sites. 

Technical advantages of the present invention include 
providing an improved method and system for distributing 
5 updates in a network. In particular, programs are 

automatically updated by downloading and distributing an 
update in response to an automated event, such as a timed 
event. As a result, systems with a common program 
separately running at several sites may update each site 

10 with no or minimal operator interaction. In addition, 

updates may be automatic or with minimal operator 
interaction rolled back at each site in a system in 
response to an upgrade problem. 

Additional technical advantages of the present 

15 invention include providing an improved intrusion detection 

system. In particular, each intrusion detection sensor may 
automatically connect to a remote site and download new 
intrusion detection signatures. Each sensor may also 
distribute the new signatures to related sensors within a 

20 system. Accordingly, network vulnerability due to new 

types of attacks is reduced. In addition, an intrusion 
detection service provider may update all of its customers 
by simply providing new signatures on a website from which 
each customer's system will automatically connect to and 

25 download the new signatures in accordance with a specified 

frequency. Accordingly, the costs of providing intrusion 
detection services are reduced. 

Other technical advantages will be readily apparent to 
one skilled in the art for the following figures, 

30 description, and claims. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present 
invention and its advantages, reference is now made to the 
following description taken in conjunction with the 
5 accompanying drawings, wherein like reference numerals 

represent like parts, in which: 

FIGURE 1 is a block diagram illustrating a system for 
dynamically distributing intrusion detection signatures in 
accordance with one embodiment of the present invention; 
10 FIGURE 2 is a flow diagram illustrating a computer 

method for dynamically distributing intrusion detection 
signatures in the network of FIGURE 1; and 

FIGURE 3 is a flow diagram illustrating a computer 
method for recovering from a problematic update in 
15 accordance with one embodiment of the present invention. 
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DETAILED DESCRIPTION OF THE INVENTION 

FIGURE 1 is a block diagram illustrating a system 10 
for dynamically distributing updates in a network. In this 
embodiment, new intrusion signatures are distributed to 
5 remote intrusion detection sensors. The sensors use the 

intrusion signatures to detect and report unauthorized 
entry. It will be understood that the present invention 
may be used to distribute other suitable types of updates 
to intrusion detection and other suitable types of 

10 applications within a network. 

Referring to FIGURE 1, the system 10 includes a 
private network 12 and a public network 14. For the 
embodiment of FIGURE 1, the private network is an Intranet 
20 and the public network is an Internet 22. It will be 

15 understood that the private and public networks 12 and 14 

may be other suitable types of networks. 

The Intranet 20 includes a network interconnecting a 
plurality of hosts 24. The network is a local area network 
(LAN) , a wide area network (WAN) , or other suitable type of 

20 link capable of communicating data between the hosts 24. 

For the local area network embodiment, the network may be 
an Ethernet. 

The hosts 24 are each a computer such as a personal 
computer, file server, workstation, minicomputer, mainframe 

25 or any general purpose or other computer or device capable 

of communicating with other computers or devices over a 
network. The hosts 24 operating on the border between the 
Intranet 20 and Internet 22 each include an intrusion 
detection sensor 2 6 for detecting and reporting 

30 unauthorized entry. As used herein, each means each of at 

least a subset of the identified items. 

The intrusion detection sensors 26 each include a 
common set of intrusion signatures 28. The intrusion 
signatures 28 comprise patterns of network activity that 

35 denote or indicate unauthorized access or other harmful 
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activity capable of damaging the host 24 or other aspect of 
the private network 12. Generally described, the intrusion 
detection sensors 26 detect such unauthorized access or 
attacks upon the host 24 by matching network traffic to the 
5 intrusion signatures 28. 

The Internet 22 includes a sensor update server 30. 
The sensor update server 30 may be virtually any type of 
computer capable of storing intrusion updates 32 and 
communicating with other computers or devices over the 

10 Internet 22. The intrusion update 32 includes new 

intrusion signatures generated by an intrusion detection 
service provider in response to new types of attacks. The 
intrusion detection service provider generates the new 
signatures and provides them as the update 32 on a web page 

15 at the sensor update server 30 to allow customers to access 

the new signatures over the Internet 22. As described in 
more detail below, the update 32 is downloaded by customers 
over the Internet 22 and the new signatures added to the 
intrusion signatures 28 residing on the host 24. In this 

2 0 way, the intrusion detection sensors 26 are kept up-to-date 

and able to detect and report new types of network and/or 
host based attacks. 

FIGURE 2 is a flow diagram illustrating a computer 
method for dynamically distributing intrusion detection 

25 updates over the Internet 22 or other suitable network. It 

will be understood that other types of updates for other 
types of applications may be similarly distributed over the 
Internet 22 or other suitable network without departing 
from the scope of the present invention. 

30 Referring to FIGURE 2, the method begins at step 50 in 

which a specified event is received. The specified event 
may be an automated event or a user initiated event. The 
automated event may be any event generated by the sensor or 
other software or hardware in accordance with predefined 

35 instructions or logical set of such events. In one 
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embodiment, the automated event is a timed event that is 
directly or indirectly based upon the reaching or passing 
of a specified time. For this embodiment, the intrusion 
detection sensors 2 6 may automatically age the intrusion 
5 signatures 28 after each update to allow the intrusion 

detection sensors 26 to automatically determine when the 
intrusion signatures 28 may be in need of updating. In 
this embodiment, an update event is generated in response 
to the intrusion signatures 2 8 reaching a specified age. 

10 The age is twenty-four hours or other suitable time period 

that will allow the intrusion signatures 28 to be updated 
at a frequency that will minimize vulnerability of the 
private network 12 to new types of attacks. An event or 
action is in response to a specified event when the 

15 occurrence of the specified event directly or indirectly 

triggers, at least in part, the responding event or action. 
Thus, other events may also be necessary to trigger the 
responding event or action, or intervene between the 
specified event and the responding event or action. The 

2 0 update event may be other suitable types of timed events 

such as, for example, a specified or scheduled time of day, 
week, or the like. 

In a particular embodiment, a user may select a number 
of sensors to be subordinate to a primary intrusion 

25 detection sensor or set of primary sensors. In this 

embodiment, only the primary sensors are responsible for 
generating the update event and only their intrusion 
signatures 2 8 are aged. Alternatively, each intrusion 
detection sensor 26 may independently age its own intrusion 

30 signatures 2 8 and generate the update event in response to 

its intrusion signatures 28 reaching the specified age. In 
this embodiment, no one intrusion section sensor 2 6 or 
limited set of sensors is solely relied upon to initiate 
updating. 



Docket No. 062891.0240 



PATENT 



10 

Proceeding to step 52, the intrusion detection sensor 
2 6 generating the update event automatically connects to 
the sensor update server 30 over the Internet 22. At 
decisional step 54, the intrusion detection sensor 26 
5 automatically determines whether the sensor update server 

30 includes an update 32 for the intrusion signatures 28. 
In one embodiment, the intrusion detection sensor 2 6 may 
compare a time stamp of its last update to that of a 
current file on the sensor update server 30. In this 

10 embodiment, the current file is an update 32 if the time 

stamp for the file is later than that for the last update 
for the intrusion detection sensor 26. If an update 32 is 
not available, then the current set of intrusion signatures 
28 are up-to-date and the No branch of decisional step 54 

15 leads to the end of the process . Accordingly, the 

intrusion signatures 28 are updated only when needed. 
However, if an update 32 is available on the sensor update 
server 30, the Yes branch of decision step 54 leads to step 
56. 

20 At step 56, the intrusion detection sensor 26 

automatically downloads the update 32. Preferably, the 
update 32 is downloaded in an encrypted format to prevent 
tampering and decrypted at the host 24. In addition, the 
update 32 may be protected by VPN, sequence numbering, 

25 other suitable form of secure communication, or a 

combination of forms. Next, at decisional step 58, the 
intrusion detection sensor 2 6 automatically authenticates 
the update 32. In one embodiment, the update 32 is 
authenticated by ensuring that the update is for the 

30 existing set of intrusion signatures 28. If the update 32 

is not authentic, then it should not be installed and the 
No branch of decisional step 58 leads to the end of the 
process. Accordingly, an update 32 that cannot be 
authenticated is not installed. However, if the update 32 



Docket No. 062891.0240 



PATENT 



11 

is authentic, the Yes branch of decisional step 58 leads to 
step 60. 

At step 60, the intrusion detection sensor 26 
automatically installs the update 32 to add the new 
5 signatures to the preexisting intrusion signatures 28. 

Next, at decisional step 62, the intrusion detection sensor 
26 automatically determines if it is operating correctly 
with the installed update by comparing its operation to 
specified parameters, limits, and the like. If the 

10 intrusion detection sensor 26 is not operating correctly, 

then the No branch of decisional step 62 leads to step 64 
where recovery processing is automatically initiated and 
the update 32 is uninstalled. Accordingly, the intrusion 
detection sensor 26 is returned to its previous state and 

15 the private network 12 is not left vulnerable by an 

incorrectly operating intrusion detection sensor 26. 
However, if the update intrusion sensor 26 is operating 
correctly, the Yes branch of decisional step 62 leads to 
step 66. 

20 At step 66, the intrusion detection sensor 26 

automatically broadcasts an update message over the 
Intranet 20. The update message informs the other 
intrusion detection sensors 26 of the availability of the 
update 32. Next, at step 68, the update 32 is 

25 automatically transmitted to the intrusion detection 

sensors 26 that responded to the update message. In one 
embodiment, the update message identifies the update and 
intrusion detection sensors 26 not having that update 
respond to request the update 32. The update 32 may be 

30 transmitted over the Intranet 20 in an encrypted format and 

a secure form and decrypted by each of the second stage 
intrusion detection sensors 26 as previously described for 
the first stage intrusion detection sensor 26 that 
originally received the update 32. If a sensor hierarchy 

35 is used, relationships between primary and secondary 
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sensors may be predefined with the primary sensors each 
sending updates 32 to their respective secondary sensors. 
In addition, the relationship may be recursive with 
secondary sensors having their own children. 
5 Proceeding to decisional step 70, each of the second 

stage intrusion detection sensors 26 authenticates the 
update 32 as previously described in connection with the 
first stage intrusion detection sensor 26. If the update 
32 cannot be authenticated by a second stage intrusion 

10 detection sensor 26, the No branch of decisional step 70 

returns to step 68 for that second stage intrusion 
detection sensor 2 6 where the update 32 is retransmitted to 
the intrusion detection sensor 26. Alternatively, or in 
response to several unsuccessful attempts to transmit an 

15 authentic update 32 to a second stage, the No branch of 

decisional step 70 may lead to the end of the process where 
the update 32 is not installed for that intrusion detection 
sensor 26. After an authentic update 32 is received by a 
second stage intrusion detection sensor 26, the Yes branch 

20 of decisional step 70 leads to step 72. 

At step 72, the update 32 is automatically installed 
for each of the second stage intrusion detection sensors 2 6 
receiving an authentic update 32 to generate an updated set 
of intrusion signatures 28. Accordingly, all intrusion 

25 detection sensors 26 in the private network 12 are 

automatically updated to protect all avenues of access to 
the private network 12 from the new types of attacks. 

Proceeding to decisional step 74, each of the second 
stage intrusion detection sensors 26 determine if they are 

30 operating correctly with the installed update 32. If a 

second stage intrusion detection sensor 2 6 is not operating 
correctly, the No branch of decisional step 74 leads to 
step 76. At step 76, recovery process is initiated for 
that intrusion detection sensor 2 6 and the update 32 is 

35 uninstalled. In this way, it is ensured that each of the 
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second stage intrusion detection sensors 26 will remain in 
operating condition. For each second stage intrusion 
detection sensor 2 6 operating correctly with the installed 
update 32, the Yes branch of decisional step 74 leads to 
5 the end of the process. Accordingly, all intrusion 

detection sensors 2 6 for the private network 12 have been 
automatically updated. Because user interaction is not 
required, the intrusion detection sensors 26 may be 
frequently and efficiently updated to ensure that the 
10 private network 12 is not vulnerable to new types of 

attacks . 

It will be understood that the intrusion sensors 2 6 
may be otherwise suitably updated without departing from 
the scope of the present invention. For example, although 

15 the method was described with the intrusion detection 

sensor 26 performing the specified actions, it will be 
understood that another application in or remotely from the 
hosts 24 may carry out the updating functionality 
identified for the intrusion detection sensor 26. 

2 0 FIGURE 3 illustrates a computer method for recovery 

processing in accordance with one embodiment of the present 
invention. Referring to FIGURE 3, the method begins at 
step 90- in which a recovery event is received. The 
recovery event may be initiated by an intrusion detection 

25 sensor 26 in response to incorrect operation of the 

intrusion detection sensor 26. The recovery event may also 
be independently initiated by an operator to uninstall the 
update 32 . 

Proceeding to step 92, the update 32 is uninstalled 
30 from a first intrusion detection sensor 26. The first 

intrusion detection sensor 2 6 may be the first sensor 2 6 on 
which the update 32 was initially installed or another 
intrusion detection sensor 26 detecting incorrect 
operations or receiving a user command to initiate recovery 
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processing. Uninstalling the update 32 returns the first 
intrusion detection sensor 26 to its previous state. 

Next; at step 94, the first intrusion detection sensor 
2 6 transmits a recovery message to the remaining intrusion 
5 detection sensors 26 in the private network 12 on which the 

update 32 was installed. Next, at step 96, each of the 
remaining intrusion detection sensors 26 uninstalls the 
update 32 in response to the recovery message. 
Accordingly, each intrusion detection sensor 26 in the 

10 private network 12 is returned to its previous state in 

response to a single recovery event. In this way, 
integrity of the private network 12 and the intrusion 
detection system for the private network 12 is maintained 
with each of the intrusion detection sensors 26 in a same 

15 state. Step 96 leads to the end of the process by which 

each of the intrusion detection sensors 26 have been 
returned to a same recovery state. 

Although the present invention has been described with 
several embodiments, various changes and modifications may 

20 be suggested to one skilled in the art. It is intended 

that the present invention encompass such changes and 
modifications as fall within the scope of the appended 
claims . 
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WHAT IS CLAIMED IS: 



A method for updating a first version of 



procpram operating at a network site, comprising: 

in response to an automated event, automatically 

downloading from a remote site any update for the program; 
installing a downloaded update to generate a second 

version of the program; and 

operating the second version of the program in place 

of the first version at the network site. 

2. The method of Claim 1, wherein the automated 
event is a timed event. 



3. The method of Claim 2, further comprising: 
15 aging the first version of the program; and 

wherein the timed event is the first version reaching 
a specified age. 

4. The method of Claim 3, wherein the specified age 
20 is less than or equal to twenty-four hours. 

5. The method of Claim 2, wherein the timed event 
occurs at least once a day. 



25 6. The method of Claim 1, the act of automatically 

downloading from the remote site any update for the program 
comprising: 

automatically connecting to the remote site in 
response to the automated event; 
30 automatically determining whether the remote site 

includes an update for the program; and 

in response to the remote site including an update, 
automatically downloading the update from the remote site. 
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7. The method of Claim 1, further comprising 
downloading the update in an encrypted format and 
decrypting the downloaded update prior to installation. 

5 8. The method of Claim 1, further comprising 

authenticating the downloaded update prior to installation. 



9. The method of Claim 1, further comprising: 
after installation of the downloaded update, 

10 determining whether the second version of the program is 

operating correctly; and 

in response to incorrect operation of the second 
version, restoring the first version of the program for 
operation at the network site. 

15 

10. The method of Claim 1, further comprising: 
distributing the downloaded update to a disparate 

network site operating the first version of the program; 

installing the downloaded update to generate the 
2 0 second version of the program at the disparate network 

site; and 

operating the second version of the program in place 
of the first version at the disparate network site. 
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11. The method of Claim 1, further comprising: 
after installation of the downloaded update, 

determining whether the second version of the program is 

operating correctly at the network site; 
5 in response to incorrect operation of the second 

version, restoring the first version of the program for 

operation at the network site; and 

in response to correct operation of the second version 

at the network site: 
10 distributing the downloaded update to a disparate 



network site operating the first version of the program; 

installing the downloaded update to generate the 



second version of the program at the disparate network 
site; and 



15 



operating the second version of the program in 
place of the first version at the disparate network site. 



12. The method of Claim 1, further comprising: 



broadcasting over a network an update message; 



20 



receiving in response to the update message a request 



for the downloaded update from each of a plurality of 



disparate network sites operating the first version of the 



program; 



25 



distributing the downloaded update to the disparate 
network sites requesting the downloaded update; 



installing the downloaded update to generate the 
second version of the program at each of the disparate 
network sites; and 



30 



operating the second version of the program in place 
of the first version at each of the disparate network 



sites . 
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13. The method of Claim 12, further comprising: 
receiving a recovery event at one of the network 

sites; 

automatically restoring the first version of the 
5 program at the network site at which the recovery event was 
received; 

broadcasting a recovery message from the network site 
over the network; and 

automatically restoring the first version of the 
10 program at each of the remaining network sites operating 

the second version of the program. 

14. The method of Claim 1, wherein the program is a 
set of intrusion detection signatures for an intrusion 

15 detection sensor. 

15. The method of Claim 1, wherein the remote site is 
an Internet web page. 
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A method for automatically updating an intrusion 
system having a plurality of distributed 
intrusion detection sensors each operating with a first set 
of intrusion detection signatures, comprising: 
5 in response to a specified event, automatically 

downloading from a remote site any update for the intrusion 
detection signatures; 

distributing a downloaded update to each sensor; 
installing the downloaded update to generate a second 
10 set of intrusion detection signatures for each sensor; and 

operating each sensor with the second set of intrusion 
detection signatures . 

17. The method of Claim 16, wherein the specified 
15 event is a timed event. 



18. The method of Claim 17, further comprising: 
aging the first set of intrusion detection signatures; 

and 

20 wherein the timed event is the first set of intrusion 

detection signatures reaching a specified age. 

19. The method of Claim 18, wherein the specified age 
is less than or equal to twenty-four hours. 

25 



20. The method of Claim 17, wherein the timed event 
occurs at least once a day. 
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21. The method of Claim 16, the act of automatically 
downloading from the remote site any update for the program 
comprising: 

automatically connecting to the remote site in 
5 response to the timed event; 

automatically determining whether the remote site 
includes an update for the intrusion detection signatures; 
and 

in response to the remote site including an update, 
10 automatically downloading the update from the remote site. 
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22/: An intrusion detection system, comprising: 
jk private network including a plurality of sites 
connected to a public network, each site including an 
intrusion detection sensor operating with a first set of 
5 intrusion detection signatures; and 

each of the intrusion detection sensors operable to 
automatically download from a remote site any update for 
the intrusion detection signatures in response to a 
specified event, to install a downloaded update to generate 
10 a second set of intrusion detection signatures, to operate 

with the second set of intrusion detection signatures, and 
to distribute the downloaded update to the remaining 
intrusion detection sensors for installation. 

15 23. The system of Claim 22, wherein the specified 

event is an automated event. 



20 



24. The system of Claim 23, wherein the automated 
event is a timed event. 
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METHOD AND SYSTEM FOR DYNAMICALLY DISTRIBUTING 
UPDATES IN A NETWORK 

ABSTRACT OF THE DISCLOSURE 

A first version of a program operating at a network 
site is updated by automatically downloading from a remote 
site any update for the program in response to an automated 
5 event. A downloaded update is installed to generate a 

second version of the program. The second version of the 
program is operated at the network site in place of the 
first version. 
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DECLARATION AND POWER OF ATTORNEY 
As a below named inventor, I declare that: 

My residence, post office address and citizenship are as 
stated below next to my name; that I believe I am the original, 
first and sole inventor (if only one name is listed below) or an 
original, first and joint inventor (if plural names are listed 
below) of the subject matter which is claimed and for which a 
patent is sought on the invention or design entitled METHOD AND 
SYSTEM FOR DYNAMICALLY DISTRIBUTING UPDATES IN A NETWORK, the 
specification of which is attached hereto; that I have reviewed 
and understand the contents of the above-identified 
specification, including the claims, as amended by any amendment 
referred to above; and that I acknowledge the duty to disclose 
to the U.S. Patent and Trademark Office all information known to 
me to be material to patentability as defined in 37 C.F.R. 
§ 1.56. 

I hereby claim foreign priority benefits under 35 U.S.C. 
§ 119 of any foreign application ( s ) for patent or inventor * s 
certificate listed below and have also identified below any 
foreign application ( s ) for patent or inventor's certificate 
having a filing date before that of the application on which 
priority is claimed: 

Priority 
Date Claimed 
Number Country Filed (Yes) (No) 

NONE 

I hereby claim the benefit under 35 U.S.C. § 120 of any 
United States application ( s ) listed below and, insofar as the 
subject matter of each of the claims of this application is not 
disclosed in the prior United States application (s ) in the manner 
provided by the first paragraph of 35 U.S.C. § 112, I acknowledge 
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the duty to disclose to the U.S. Patent and Trademark Office all 
information known to me to be material to patentability as 
defined in 37 C.F.R. § 1.56 which became available between the 
filing date of the prior application { s > and the national or PCT 
international filing date of this application: 

Application 

Serial Number Date Filed Status 



NONE 



I hereby appoint : 



Jprrv W Mills 
kJ JL -I— V n ♦ l i _i_ -i- -L. ij 


Reg . 


No. 


23 , 005 


Rohprt" M Phiaviello . Jr. 


Rea . 


No . 


32,461 


Ann C. Livingston 


Reg. 


No. 


32,479 


Thomas R. Felger 


Reg. 


No. 


28, 842 


Charles S. Fish 


Reg. 


No. 


35, 870 


Wei Wei Jeang 


Reg. 


No . 


33 ,305 


Kevin J. Meek 


Reg. 


No. 


33,738 


T . Murray Smith 


Reg. 


No. 


30,222 


Barton E. Showalter 


Reg. 


No. 


38,302 


David G. Wille 


Reg. 


No. 


38,363 


Bradley P. Williams 


Reg. 


No. 


40, 227 


Terry J. Stalford 


Reg. 


No. 


39,522 


Christopher W. Kennerly 


Reg. 


No. 


40, 675 


Harold E. Meier 


Reg. 


No. 


22,428 


Alexander B. Ching 


Reg. 


No. 


41, 669 


Douglas M. Kubehl 


Reg. 


No. 


41, 915 


Samir A. Bhavsar 


Reg. 


No. 


41, 617 


Thomas R. Nesbitt, Jr. 


Reg. 


No. 


22, 075 


James J, Maune 


Reg. 


No. 


26, 946 


Roger J. Fulghum 


Reg. 


No. 


39, 678 


Rodger L. Tate 


Reg. 


No. 


27, 399 


Scott F. Partridge 


Reg. 


No. 


28, 142 


James B. Arpin 


Reg. 


No. 


33,470 


James Remenick 


Reg. 


No. 


36, 902 


Jay B. Johnson 


Reg. 


No. 


38, 193 


Robert W. Holland 


Reg. 


No. 


4 0, 02 0 


Floyd B . Chapman 


Reg. 


No. 


40, 555 


Randall W. Mishler 


Reg. 


No. 


42, 006 


Robert A. King 


Reg. 


No. 


42, 738 


James L. Baudino 


Reg. 


No. 


P43, 486 


Scott T. Morris 


Reg. 


No. 


P43, 818 


Tara D. Knapp 


Reg . 


No. 


P43,723 
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all of the firm of Baker & Botts, L.L.P., my attorneys with full 
power of substitution and revocation, to prosecute this 
application and to transact all business in the United States 
Patent and Trademark Office connected therewith, and to file and 
prosecute any international patent applications filed thereon 
before any international authorities under the Patent Cooperation 
Treaty. 

Send Correspondence To : Direct Telephone Calls To : 



Baker & Botts, L.L.P. 

2001 Ross Avenue 

Dallas, Texas 75201-2980 



Terry J. Stalford 
at (214) 953-6477 
Attorney Docket No. 062891.0240 



I declare that all statements made herein of my own 
knowledge are true and that all statements made on information 
and belief are believed to be true; and further that these 
statements were made with the knowledge that willful false 
statements and the like so made are punishable by fine or 
imprisonment, or both, under Section 1001 of Title 18 of the 
United States Code, and that such willful false statements may 
jeopardize the validity of the application or any patent issuing 
thereon . 



Full name of sole inventor 

Inventor 1 s signature 
Date 

Residence (City, County, State) 

Citizenship 

Post Office Address 



Kevin J. Ziese 
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3s T/U?y 




Dripping Springs, Hays County, 
Texas 

United States of America 

705 Upland Drive 

Dripping Springs, Texas 78620 
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